[Pkg-clamav-devel] Bug#951057: clamav-freshclam: allow overriding of CA store
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Sun Feb 16 23:00:43 GMT 2020
On 2020-02-10 13:50:00 [+0000], Adam D. Barratt wrote:
> With 0.102, Freshclam started using libcurl for database downloads, but
> appears to provide no way to configure which certificates should be trusted.
I just learned about the https part.
…
> but this isn't ideal. A configuration option to allow specifying an
> alternative bundle / root, or even respecting CURL_CA_BUNDLE, would be much
> appreciated.
I've been plumbing a variable from the config file up to the needed part
at the other end of the source code and I got bored in the middle of it.
This would also require a .so bump of the libfresclam but since the
header files are never exported as part of any -dev package I think we
could get around it (but you get the idea of the change).
And then you said that respecting CURL_CA_BUNDLE would do the job for
you and this would make the change much easier.
I was going to submit a pu for 102.2 which migrated to testing a few
days ago and then this showed up. At [0] I prepared a deb9u1 based
package of 102.2 with a patch [1] on top of it which should do just what
you asked for (just set the enviroment variable CURL_CA_BUNDLE before
invoking freshclam and all should be good).
In my testing I've set CURL_CA_BUNDLE to /bin/bash and freshclam didn't
work so I think it will work if you set it properly :) I didn't look at
the daemon mode…
The tar archive contains a source package and an amd64 binary one. If
you could test it and confirm that it works for you, that would be
great.
[0] https://breakpoint.cc/clamav_0.102.2+dfsg-0~deb9u1.tar
[1] https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/patches/clamsubmit-libfreshclam-Use-CURL_CA_BUNDLE.patch
> Regards,
>
> Adam
Sebastian
More information about the Pkg-clamav-devel
mailing list